Questions on Programmers Stack Exchange are expected to relate to software development within the scope defined by the community. Consider editing the question or leaving comments for improvement if you believe the question can be reworded to fit within the scope. Read more about reopening questions here.
If this question can be reworded to fit the rules in the help center, please edit the question.

18

On the contrary, I don't see any reason to allow it.
–
sevenseacatApr 29 '11 at 13:59

1

What about a local webapp or an extension? Is it forced to store all its data in a single long html file?
–
VanuanApr 29 '11 at 15:01

1

@Karpie I agree with your basic theory, but at the same time disagree with the realistic application. There is a marked difference between academic and applied and, in this case, the suggested workarounds (ie., setting up another server, using security-disabling flags, etc.) seem worse than having an established model where "File in X directory has read permissions on other files in X directory". Perfect? No. Better than kludgy alternatives? Maybe? The example case of "many applications are using HTML help docs" seems a reasonable real-world scenario.
–
FarrayMay 4 '11 at 9:20

@Karpie - you should explain why rather than just tossing in a throw-away like that. Not everyone understands security implications. Educating about what seems to be a fair question would be nice.
–
quickly_nowMay 30 '11 at 4:36

2 Answers
2

I know this is an old question, but I didn't see this important fact mentioned anywhere:

Chrome allows you to add a folder on your file system as a local Web application. Once you do that, files in that folder no longer need to be accessed through the file: protocol -- they become accessible through the chrome-extension:// protocol, e.g., chrome-extension://[app_id]/somefile.html. When accessing your files this way, the restrictions on local file access do not apply.

True, you need to write a small, three-line manifest.json file [1] that specifies the name of your application, but if you want to use multiple local files as a local Web application, it makes some sense, security-wise, to require that you use Chrome's extension architecture to indicate clearly what folders on your hard drive should be accessed like Web applications. That way, Chrome can assume that everything else on your hard drive is not a Web application, and lock down permissions on non-app HTML files that get loaded in the browser. The addition of the manifest.json file adds only a few bytes to your folder, and it doesn't get in the way if you want to use your files in some other browser that does allow unfettered file access.

It's common to use File -> Save As... to save HTML to a file. Often users will save HTML files from different web sites to the same directory (perhaps named "Downloads"). Allowing one of these files to access the other (and possibly upload it somewhere) would be a privacy leak.

Since there are more users than developers and users are less security-aware on average, protecting users probably seems more important.